# How to create a VPN server with Microsoft Azure
## Introduction
[Microsoft Azure](https://azure.microsoft.com/en-us) is a cloud computing platform that provides a range of options for people looking to host their services on the cloud. Azure's extensive features and benefits make it a great choice to host a VPN server.
With Microsoft Azure, you can easily create and manage various virtual machines (VMs). Its global network of data centers ensures fast and reliable access to your services from anywhere in the world. Additionally, Azure has a flexible pricing model, offering a free subscription and allowing you to pay only for the resources you use once the free trial expires.
By using [Meshnet](https://nordvpn.com/meshnet/) in tandem with Azure, you can turn a simple VM into a secure VPN server without any advanced configuration.
This guide showcases how you can make a VPN server from a VM hosted by Microsoft Azure using Meshnet’s traffic routing feature.
{% hint style="info" %}
**Note**
Be aware that by setting up your own VPN server, you increase your online privacy but not to the same extent as when connecting to a regular VPN server provided by NordVPN, which follows a [strict no-logs policy](https://nordvpn.com/features/strict-no-logs-policy/).
{% endhint %}
## Before you begin
To follow this guide, you need an active Microsoft Azure account. You can sign up for free on the [Azure website](https://azure.microsoft.com/en-us/free/).
## Deploy a virtual machine on Microsoft Azure
First, you need to create a VM on Azure. While this guide focuses on setting up an Ubuntu VM, Azure allows you to create Windows VMs as well.
### Method 1: Creating a VM using Azure Portal
1. Log in to your [Azure account](https://portal.azure.com/).
2. From your Azure portal, click **Virtual machines**.
3. Click **Create** and select **Azure virtual machine**.
4. In the **Instance details** section, name your VM, select its region, and choose the operating system (for example, Ubuntu 22.04 LTS).
5. Under **Administrator account**, select SSH public key authentication or create a password and choose the name of the administrator user of the VM.
6. Click **Review + create**.
7. Click **Create**.
{% hint style="info" %}
**Note**
If you chose the SSH key authentication type, you will receive a **Generate new key pair** message after clicking the **Create** button. Select the **Download private key and create resource** option to download the private key file.
{% endhint %}
### Method 2: Creating a VM using Azure CLI
Another method of managing Azure resources is the Azure Command-line interface (CLI). The Azure CLI allows you to create, deploy, and manage your Azure resources without using the internet browser. This method is highly beneficial for automation or server environments.
#### Install Azure CLI
To interact with Azure using CLI, you need to install the Azure CLI application on your device. Installation instructions for all compatible operating systems can be found on the [Azure CLI documentation page](https://learn.microsoft.com/en-us/cli/azure/).
* [Instructions for Windows](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli-windows?tabs=azure-cli)
* [Instructions for macOS](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli-macos)
* [Instructions for Linux](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli-linux?pivots=apt)
#### Log in to Azure
Upon installing Azure CLI, log in to your Azure account by taking these steps:
1. Open **PowerShell** (on Windows) or **Terminal** (on macOS and Linux).
2. Run the following command to start the login process:
az login
3. Open the generated URL in an internet browser.
4. Log in to your Azure account.
5. Authenticate using the code provided in your CLI window.
#### Create your resource group
Azure uses resource groups to manage your VMs and their related resources. To create a resource group for your VPN server:
{% tabs %}
{% tab title="Windows" %}
1. Open **PowerShell**.
2. Define the environmental variables for your VM by running the following commands:
\
Where:
* `` is a custom name for your resource group.
* `` is the region where your VM will be located.
* You can check region names with the `az account list-locations -o table` command.
* `` is a custom name for your VM.
* `` is the name of the operating system image for your VM.
* You can find image names for Ubuntu Server on the [Ubuntu documentation page](https://ubuntu.com/server/docs/find-ubuntu-images-on-azure).
* `` is the name of the user account for your VM.\
\
**Example**
3. Create the resource group with this command:
az group create --name $env:RESOURCE_GROUP_NAME --location $env:LOCATION
{% hint style="info" %}
**Note**
The environmental variables will be reset if you close the PowerShell window.
{% endhint %}
{% endtab %}
{% tab title="macOS and Linux" %}
1. Open **Terminal**.
2. Define the environmental variables for your VM by running the following commands:
Where:
* `` is a custom name for your resource group.
* `` is the region where your VM will be located.
* You can check region names with the `az account list-locations -o table` command.
* `` is a custom name for your VM.
* `` is the name of the operating system image for your VM.
* You can find image names for Ubuntu Server on the [Ubuntu documentation page](https://ubuntu.com/server/docs/find-ubuntu-images-on-azure).
* `` is the name of the user account for your VM.\
\
**Example**
3. Create the resource group with this command:
az group create --name $RESOURCE_GROUP_NAME --location $LOCATION
{% hint style="info" %}
**Note**
The environmental variables will be reset if you close the Terminal window.
{% endhint %}
{% endtab %}
{% endtabs %}
#### Deploy the VM
With the environment variables defined and the resource group created, you can deploy your VM in Azure.
{% tabs %}
{% tab title="Windows" %}
In **PowerShell**, execute the following command to create the virtual machine in Azure:
{% code overflow="wrap" %}
```powershell
az vm create `
--resource-group $env:RESOURCE_GROUP_NAME `
--name $env:VM_NAME `
--image $env:VM_IMAGE `
--admin-username $env:ADMIN_USERNAME `
--generate-ssh-keys `
--public-ip-sku Standard
```
{% endcode %}
This command automatically generates an SSH key pair for your VM and places it in the default SSH directory (`~/.ssh`). Once the VM is created, you will see an output of the VM's information.
{% endtab %}
{% tab title="macOS and Linux" %}
In **Terminal**, execute the following command to create the virtual machine in Azure:
{% code overflow="wrap" %}
```bash
az vm create \
--resource-group $RESOURCE_GROUP_NAME \
--name $VM_NAME \
--image $VM_IMAGE \
--admin-username $ADMIN_USERNAME \
--generate-ssh-keys \
--public-ip-sku Standard
```
{% endcode %}
This command automatically generates an SSH key pair for your VM and places it in the default SSH directory (`~/.ssh`). Once the VM is created, you will see an output of the VM's information.
{% endtab %}
{% endtabs %}
## Access the virtual machine
Once your VM is deployed, you can access it over SSH. The way to access the VM depends on which authentication method you chose while creating it.
{% tabs %}
{% tab title="SSH public key authentication" %}
### Changing permissions for the private key
To use the SSH key for authentication, you need to set the private key’s permissions to read-only.
#### Windows
1. Open **PowerShell**.
2. Run the following three commands to apply the permission change, substituting `` with the path to the downloaded private key:
**Example**
#### macOS and Linux
1. Open **Terminal**.
2. Run the following command to apply the permission change, substituting `` with the path to the downloaded private key:
### Connecting over SSH
1. Locate the public IP address of your VM.
* You can find the public IP in the **Overview** section of the VM in your Azure Portal.\
\
* If you created the VM using Azure CLI, you can run one of the following commands:\
\
For Windows in **PowerShell**:
az vm show -d -g $env:RESOURCE_GROUP_NAME -n $env:VM_NAME --query publicIps -o tsv
\
For macOS and Linux in **Terminal**:
az vm show -d -g $RESOURCE_GROUP_NAME -n $VM_NAME --query publicIps -o tsv
2. Run the `ssh -i @` command in PowerShell or Terminal, where:
* `` is the location of the downloaded SSH private key.
* `` is the name of the administrator user of the VM.
* `` is the VM’s public IP address.
**Example**
3. Type in `yes` and press **Enter** to confirm the connection.
You should now be connected to your Azure VM.
{% endtab %}
{% tab title="SSH password authentication" %}
1. Locate the public IP address of your VM. It can be found in the **Overview** section of the VM in your Azure Portal.\
\
2. Open **Terminal** (on Linux and macOS) or **Command Prompt** (on Windows).
3. Run the `ssh @` command, where:
* `` is the name of the administrator user of the VM.
* `` is the VM’s public IP address.\
\
**Example**
ssh meerkat@20.82.123.153
4. Enter your authentication password.
5. Type in `yes` and press **Enter** to confirm the connection.
You should now be connected to your Azure VM.
{% endtab %}
{% endtabs %}
## Install NordVPN on the virtual machine
Follow these steps to install NordVPN on your virtual server:
1. Download and install the NordVPN Linux client by running the command below.
sh <(wget -qO - https://downloads.nordcdn.com/apps/linux/install.sh)
2. Log in to your NordVPN account.
### Log in to NordVPN
You can log in to your NordVPN account without the use of a graphical user interface (GUI) in two ways:
* By running the `nordvpn login` command with the `--token` flag
* By running the `nordvpn login` command with the `--callback` flag
Instructions for both methods are outlined below.
Log in using a token
1. On any device, log in to your [Nord Account](https://my.ndaccount.com/) dashboard and select the **Meshnet (by NordVPN)** card.
2. Under **Advanced settings**, select **Get access token**.
3. Enter the verification code sent to your email address.
4. Under **Access token**, click **Generate new token**.
5. In the dialog that appears, choose either a token that expires in 30 days or one that never expires, and then select **Generate token**.
6. Select **Copy and close**.
7. On your VM, run the `nordvpn login --token ` command, replacing `` with the copied token.\
\
**Example**
You should now see a welcome message.
Log in using a URL
1. Run the following command:
```
nordvpn login
```
2. Open the provided link on any device in your browser.
3. Complete the login procedure.
4. Right-click the **Continue** button and select **Copy link address**.
5. Run the `nordvpn login --callback ""` command, replacing `` with the previously copied link address.\
\
**Example**
You should now see a welcome message.
{% hint style="success" %}
**Tip**
To preserve your token when logging out of the NordVPN app, use the `nordvpn logout --persist-token` command. Otherwise, your token will be revoked.
{% endhint %}
{% hint style="info" %}
**Note**
If you encounter the error message “Whoops! Permission denied accessing /run/nordvpn/nordvpnd.sock,” enter `sudo usermod -aG nordvpn $USER`. Then, reboot your instance and log back in.
{% endhint %}
## Enable Meshnet
Upon logging in, you can [enable Meshnet on Linux](https://meshnet.nordvpn.com/getting-started/how-to-start-using-meshnet/using-meshnet-on-linux#enable-meshnet-on-linux) by typing this command:
{% code overflow="wrap" %}
```bash
nordvpn set meshnet on
```
{% endcode %}
To check your server’s Nord name and the Meshnet IP address, enter the following command:
{% code overflow="wrap" %}
```bash
nordvpn meshnet peer list
```
{% endcode %}
**Example**
You will also see all of your Meshnet peer devices with their [corresponding permissions](https://meshnet.nordvpn.com/features/explaining-permissions).
### Grant the traffic routing permission
To begin using the VPN server, you need to grant the traffic routing permission for each peer device that you want to have access to the server. Enable this permission from the server machine using the following command:
{% code overflow="wrap" %}
```bash
nordvpn meshnet peer routing allow
```
{% endcode %}
**Example**
{% code overflow="wrap" %}
```bash
nordvpn meshnet peer routing allow secret.meerkat-andes.nord
```
{% endcode %}
For more information, see the [Traffic routing permissions](https://meshnet.nordvpn.com/features/explaining-permissions/traffic-routing-permissions#changing-permissions) page.
## Connect to your VPN server
With Meshnet enabled and the permissions granted, your peer devices should now be able to connect to the server. To connect, start routing traffic from a client device through the VM, which you can find in the list of your Meshnet peer devices.
For specific instructions, see the [Routing traffic in Meshnet](https://meshnet.nordvpn.com/features/routing-traffic-in-meshnet#see-also) article.
[Your IP address](https://nordvpn.com/what-is-my-ip/) should now be the same as the virtual machine’s. This way, your real public IP address is protected, and the websites you visit will see the location of your VPN server instead of your actual device.
